Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to push assets to a gitlab protected branch #504

Open
bolrock opened this issue Feb 14, 2024 · 1 comment
Open

Unable to push assets to a gitlab protected branch #504

bolrock opened this issue Feb 14, 2024 · 1 comment

Comments

@bolrock
Copy link

bolrock commented Feb 14, 2024

I have a protected master branch on my gitlab project

2024-02-14 07_31_03-Window

I'm using that Docker image

FROM node:21-alpine
RUN apk --update --no-cache add git
ENV JAVA_HOME /usr/lib/jvm/java-17-openjdk
ENV PATH $PATH:$JAVA_HOME/bin
ENV MAVEN_HOME /usr/share/maven
ENV MAVEN_VERSION 3.9.6
RUN apk --no-cache add openjdk17-jdk --repository=https://adoptopenjdk.jfrog.io/adoptopenjdk/alpine/
RUN wget -q "https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz" -O /tmp/apache-maven.tar.gz && \
  tar xzf /tmp/apache-maven.tar.gz -C /usr/share/ && \
  ln -s /usr/share/apache-maven-${MAVEN_VERSION}/bin/mvn /usr/bin/mvn && \
  rm -f /tmp/apache-maven.tar.gz
RUN npm install -g semantic-release conventional-changelog-conventionalcommits @semantic-release/git @semantic-release/gitlab @semantic-release/exec
CMD ["mvn"]

and I'm using that config

{
  "branches": ["master"],
  "plugins": [
    [ "@semantic-release/commit-analyzer", {
      "preset": "conventionalcommits",
    }],
    "@semantic-release/release-notes-generator",
    [ "@semantic-release/exec", {
      "verifyReleaseCmd": 'mvn versions:set -DnewVersion="${nextRelease.version}" && echo "NEXT_VERSION=${nextRelease.version}" >> build.env',
    }],
    ["@semantic-release/git", {
      "assets": ["pom.xml"],
      "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
    }],
    "@semantic-release/gitlab"
  ]
}

Without the @semantic-release/git module it is working fine. The tag is created and pushed to the master branch.
But it seems the module cannot push the assets to the master branch.

[1:04:43 PM] [semantic-release] [@semantic-release/git] › ℹ  Found 1 file(s) to commit
[1:04:44 PM] [semantic-release] › ✘  Failed step "prepare" of plugin "@semantic-release/git"
[1:04:44 PM] [semantic-release] › ✘  An error occurred while running semantic-release: Error: Command failed with exit code 1: git push --tags https://gitlab-ci-token:[secure]@mygitlab.com/myproject.git HEAD:master
remote: GitLab: You are not allowed to push code to protected branches on this project.

Adding a printenv in the script I can see my GITLAB_TOKEN variable with my token.

But I don't understand if it's really possible to push to master with a personal access token ?
I also tried removing the GITLAB_TOKEN from the project variable and adding

before_script:
  - export GITLAB_TOKEN="$CI_JOB_TOKEN"
  - export GITLAB_URL="$CI_SERVER_URL"

Now the printenv still show me the variable

GITLAB_TOKEN=[MASKED]

But it is still not working (with another reason).

The GitLab token (https://github.com/semantic-release/gitlab/blob/master/README.md#gitlab-authentication) configured in the GL_TOKEN or GITLAB_TOKEN environment variable must be a valid personal access token

I don't want to unprotect my master branch. So what's the solution ?

@travi
Copy link
Member

travi commented Feb 16, 2024

I also tried removing the GITLAB_TOKEN from the project variable and adding

before_script:
  - export GITLAB_TOKEN="$CI_JOB_TOKEN"
  - export GITLAB_URL="$CI_SERVER_URL"

unfortunately, the CI_JOB_TOKEN does not provide the ability to push code. see semantic-release/semantic-release#1729 for more discussion about that situation

Without the @semantic-release/git module it is working fine. The tag is created and pushed to the master branch. But it seems the module cannot push the assets to the master branch.

you need to verify the permissions you've granted to your token. you need to use a token that provides the appropriate level of access. it appears that the one you are using does not provide the ability to push code to a protected branch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants